b'Office of Inspector General\n    Audit Report\n\n\n    IMPROVEMENTS TO DOT\xe2\x80\x99S\n  GOVERNANCE PROCESSES ARE\n NEEDED TO ENHANCE OVERSIGHT\n   OF MAJOR IT INVESTMENTS\n  Office of the Secretary of Transportation\n       Federal Aviation Administration\n\n       Report Number: ZA-2013-057\n       Date Issued: March 27, 2013\n\x0c           U.S. Department of\n                                                                 Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Improvements to DOT\xe2\x80\x99s Governance                                         Date:    March 27, 2013\n           Processes Are Needed To Enhance Oversight of\n           Major IT Investments\n           Report Number ZA-2013-057\n           Office of the Secretary of Transportation\n           Federal Aviation Administration\n\n  From:    Mary Kay Langan-Feirson                                                       Reply to\n                                                                                         Attn. of:   JA-60\n           Assistant Inspector General for Acquisition and\n             Procurement Audits\n\n    To:    Deputy Secretary\n           Federal Aviation Administrator\n\n\n           The U.S. Department of Transportation\xe2\x80\x99s (DOT) fiscal year 2012 major\n           information technology (IT) investment portfolio was just over $2.2 billion. 1\n           About 94 percent ($2.07 billion) of the portfolio is managed by the Federal\n           Aviation Administration (FAA). FAA\xe2\x80\x99s major IT investments fund important\n           aviation modernization programs, including the Next Generation Air\n           Transportation System (NextGen), a multibillion-dollar effort to modernize the\n           U.S. air traffic control system. 2 However, since 2005, FAA has experienced cost\n           overruns, schedule delays, or both on 7 of its 14 major air traffic control IT\n           programs, including 1 that exceeded original cost estimates by $2 billion and was\n           delayed by 14 years. 3 Our office and the Government Accountability Office\n           (GAO) have issued numerous audit reports and testimonies related to FAA\xe2\x80\x99s major\n           IT investments that point to longstanding and significant concerns in the Agency\xe2\x80\x99s\n           management and oversight of these critical programs (see exhibit B).\n\n\n           1\n             OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d defines \xe2\x80\x9cmajor information system(s)\xe2\x80\x9d as\n           those that require special management attention for reasons including importance to the agency\xe2\x80\x99s mission; high\n           development, operating, or maintenance costs; or significant role in administering agency programs. The $2.2 billion\n           represents DOT\xe2\x80\x99s major IT investments as reported on OMB\xe2\x80\x99s IT dashboard, as of September 2012. DOT\xe2\x80\x99s total\n           portfolio including non-major IT investments is $3.0 billion.\n           2\n             According to FAA\xe2\x80\x99s fiscal year 2012 enacted budget, 30 percent of its IT investment portfolio is devoted to NextGen\n           programs.\n           3\n             FAA\xe2\x80\x99s February 2012 Capital Investment Plan, Appendix D.\n\x0c                                                                                                                 2\n\n\nTo improve oversight of major Federal IT investments, the Office of Management\nand Budget (OMB) called for agencies to establish executive investment\ngovernance processes. In response, DOT established a departmental Investment\nReview Board (IRB), effective December 4, 2009, to help ensure the Department\nrealizes optimal value for its IT investments. DOT also required that individual\nIRBs be established within each of its 12 Operating Administrations that are\nresponsible for overseeing their IT investments. The Joint Resources Council\n(JRC) serves as FAA\xe2\x80\x99s IRB to help ensure FAA\xe2\x80\x99s capital investments fulfill\nmission priorities and maximize resources.\n\nGiven the cost, complexity, and importance of major IT investments to the\nDepartment\xe2\x80\x99s mission, we assessed whether (1) DOT\xe2\x80\x99s investment governance\npractices meet Federal and statutory investment oversight requirements and best\npractices, and (2) FAA and DOT provide sufficient oversight of FAA\xe2\x80\x99s major IT\ninvestments.\n\nIn conducting this audit, we analyzed DOT\xe2\x80\x99s and FAA\xe2\x80\x99s investment review\npolicies and practices, interviewed IRB and JRC members, surveyed Chief\nInformation Officers (CIO) at all 12 of DOT\xe2\x80\x99s Operating Administrations, and\nreviewed all 15 key investment decisions that the JRC made in calendar year 2010\nthrough November 2011, worth a combined value of over $2.6 billion. We\nconducted this review between September 2011 and January 2013 in accordance\nwith generally accepted Government auditing standards prescribed by the\nComptroller General of the United States. Exhibit A provides further details on\nour scope and methodology.\n\nRESULTS IN BRIEF\nDOT\xe2\x80\x99s investment oversight practices do not fully meet OMB requirements or\nDOT policies. Specifically, DOT does not have an active IRB or supporting\nboards to provide a comprehensive management framework. Until recently, 4 the\nDepartment had not held a senior management level IRB meeting in almost\n2 years, despite OMB requirements to meet periodically and DOT\xe2\x80\x99s 2009 IRB\nCharter requirements to meet semiannually. 5 IRB meetings are intended to provide\nstrategic oversight of DOT\xe2\x80\x99s entire IT investment portfolio. Instead, DOT relied\nsolely on evidence-based TechStat accountability sessions, which are, by design,\n\n4\n  On December 14, 2012, DOT held its first IRB meeting since February 2011. The meeting did not include a review of\nDOT\xe2\x80\x99s IT portfolio. Instead, the Office of the CIO (OCIO) presented a proposed framework for departmentwide IT\ngovernance and a draft, updated IRB charter, which was dated October 23, 2012.\n5\n  OMB Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d requires agencies to establish oversight\nmechanisms that require periodic review of information systems. Under DOT\xe2\x80\x99s IRB charter, dated December 4, 2009,\nthe IRB is to meet semiannually to provide strategic direction, leadership, and alignment of IT investments and\nprograms with DOT business needs and direction, budget objectives, goals, performance planning, and reporting to\nconduct investment oversight duties.\n\x0c                                                                                                                3\n\n\nless comprehensive than IRB reviews because they focus on individual troubled or\nunderperforming programs. OMB requires that agencies use TechStat sessions and\nspecifies that the sessions should supplement rather than replace agency IRB\nreviews. 6 Additionally, DOT did not fully implement OMB\xe2\x80\x99s TechStat guidance.\nFor example, DOT did not consistently hold program offices accountable for\ncompleting assigned action items, which, according to OMB, is a key objective of\nTechStat sessions. For the 8 TechStat sessions we reviewed, DOT did not track\n56 percent of action items to completion. During our audit, DOT initiated actions\nintended to reform its IT investment oversight, such as issuing a high-level\ndepartmental IT governance policy 7 and proposing a new framework for IT\ngovernance. However, DOT has not yet developed comprehensive plans and\nprocedures to implement this new framework.\n\nFAA and DOT face challenges in providing sufficient oversight of FAA\xe2\x80\x99s major\nIT investments. FAA\xe2\x80\x99s JRC has a comprehensive framework for investment\ngovernance, yet the Agency does not always follow the JRC approval and\noversight process. For example, program offices do not always submit critical\ninvestment information\xe2\x80\x94such as program requirements and cost and schedule\nestimates\xe2\x80\x94prior to JRC investment decisions, and the JRC Secretariat does not\nmaintain a complete repository of investment information as FAA\xe2\x80\x99s Acquisition\nManagement System (AMS) requires. 8 Consequently, the JRC risks making\ninvestment decisions with incomplete information, which could jeopardize the\nsuccess of critical FAA programs. FAA has recently created a new Program\nManagement Office (PMO) for its Air Traffic Organization (ATO) to oversee the\nexecution of its IT programs and supplement the JRC; however, this group is not\nyet fully staffed and lacks processes needed to function effectively in this role.\nFinally, DOT\xe2\x80\x99s IT governance process provides only limited oversight of FAA\xe2\x80\x99s\nmajor IT investments\xe2\x80\x94even though FAA\xe2\x80\x99s IT investments comprise 94 percent\n($2.07 billion) of DOT\xe2\x80\x99s fiscal year 2012 major investment portfolio. Notably,\nDOT has only reviewed two FAA programs in the past 2 years.\n\nWe are making a series of recommendations to improve DOT\xe2\x80\x99s and FAA\xe2\x80\x99s\noversight of major IT investments.\n\nBACKGROUND\nSince the 1990s, Federal initiatives have called for agencies to use rigorous\ngovernance processes to manage their investments. The Clinger-Cohen Act of\n1996 establishes the CIO position in Federal executive agencies and requires each\n6\n  OMB guidance, A Year in Review: Outcomes and Lessons Learned from Implementing Agency-Led TechStat Reviews\nAcross the Federal Government, states that TechStat reviews are to be integrated into the agency\xe2\x80\x99s broader IT\nmanagement framework. OMB also states that TechStats should not be viewed as a separate investment review process.\n7\n  DOT Policy Order 1351.39, dated August 29, 2012.\n8\n  AMS Appendix A, Roles and Responsibilities.\n\x0c                                                                                                                   4\n\n\nagency to implement a management framework to optimize IT expenditures. 9\nOMB\xe2\x80\x99s Circular A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d issued\nNovember 2000, requires the agency\xe2\x80\x99s CIO to (1) monitor and evaluate IT\ninvestment performance through a capital planning and investment control\nprocess, and (2) advise the agency head on budgetary implications of IT decisions.\nIn response, DOT chartered its IRB in December 2009. In addition to the\ndepartmentwide IRB, the Department required each DOT Operating\nAdministration to establish an IRB to select and manage their individual\ninvestments.\n\nFAA\xe2\x80\x99s IRB is the JRC. Under FAA\xe2\x80\x99s AMS, the JRC is to help ensure FAA\xe2\x80\x99s\ncapital investments fulfill mission priorities and maximize resources, and the JRC\nExecutive Secretariat manages a Readiness Process intended to determine if its\ninvestments align with FAA\xe2\x80\x99s mission. FAA\xe2\x80\x99s Capital Investment Planning and\nControl Process prescribes key decision points to determine and prioritize\ninvestment decisions, implement solutions, and manage them over their lifecycle\n(see table 1).\n\nTable 1. Key Decision Points in FAA\xe2\x80\x99s Lifecycle Management\nProcess\n\nKey Decision                      Definition\nConcept & Requirements            Translates priority operational needs in the Enterprise Architecture\nDefinition Readiness              (EA) into preliminary requirements and a concept of operations to\n                                  improve service delivery. Identifies alternative solutions able to\n                                  satisfy the service need.\nInvestment Analysis               The Investment Decision Authority (IDA) determines whether the\nReadiness                         concept of use, preliminary requirements, EA products, and\n                                  alternatives are sufficiently defined to move to investment analysis.\nInitial Investment                Enables the IDA to select the best alternative that meets the\n                                  required performance and offers the greatest value.\nFinal Investment                  Details planning for the alternative selected for implementation.\nIn-Service                        Authorizes deployment of a solution into the operational\n                                  environment.\nBaseline Change                   Replans the remaining schedule and/or reallocates the remaining\n                                  budget.\nSource: FAA\n\nRecently, OMB has placed increased importance on sound agency capital planning\nand IT investment governance to improve the way Federal IT investments are\n\n9\n  Clinger-Cohen Act of 1996 (formerly the Information Technology Management Reform Act), Pub. L. No. 104-106,\nDivision E (1996); codified at 40 United States Code (U.S.C.) \xc2\xa7 11101, et seq. (2011). According to FAA, the Clinger-\nCohen Act does not apply to the Agency because 49 U.S.C. \xc2\xa7 40110(d) empowers the FAA Administrator to establish\nthe AMS to address the unique needs of FAA without requiring compliance with most Federal acquisition laws or\nregulations, including the Clinger-Cohen Act.\n\x0c                                                                                                           5\n\n\nmanaged. In December 2010, the Federal CIO issued an assessment of\ngovernmentwide IT governance and announced a plan for IT reform, which\nestablished the requirement for Federal agencies to conduct TechStat\naccountability sessions on troubled investments, and to turnaround or terminate\npoorly performing projects. 10 In August 2011, OMB required that agency CIOs be\npositioned with the authority to improve their agencies\xe2\x80\x99 operating efficiencies,\ntake a lead governance role, and ensure IT portfolio analysis is an integral part of\nthe annual budget process. 11\n\nIn December 2011, the Federal CIO Council issued an assessment of agency-led\nTechStats after 1 year of implementation across the Federal Government. The\nFederal CIO Council\xe2\x80\x99s report reiterated that TechStat accountability sessions\n(1) provide a valuable accountability tool to supplement existing agency review\nprocesses and IRBs, and (2) are intended to be integrated into agencies\xe2\x80\x99 strategic,\ncomprehensive performance management frameworks for their IT investment\nportfolios. 12\n\nDOT\xe2\x80\x99S INVESTMENT OVERSIGHT PRACTICES DO NOT FULLY\nMEET OMB REQUIREMENTS OR DOT POLICIES\nDOT does not have a comprehensive management framework for executive\noversight of its $2.2 billion major IT investment portfolio. Instead of holding\nrequired senior management level IRB meetings, which focus on reviewing the\nDepartment\xe2\x80\x99s entire IT investment portfolio, DOT had, until recently, relied solely\non TechStat accountability sessions, which are intended to only focus on\nindividual troubled or underperforming programs. Further, DOT has not fully\nimplemented OMB\xe2\x80\x99s TechStat guidance and has not held TechStats for several\nprojects that DOT rates as \xe2\x80\x9cat risk.\xe2\x80\x9d During our audit, DOT initiated some actions\nintended to reform its IT investment framework, but it has not yet developed\ncomprehensive plans and procedures to implement them.\n\nDOT Does Not Have a Comprehensive Framework for Executive\nOversight of Its IT Investments\nUntil recently, DOT\xe2\x80\x99s IRB had not held required semiannual investment review\nsessions since February 2011. As a result, DOT has not complied with either\nOMB\xe2\x80\x99s requirements for investment oversight or DOT\xe2\x80\x99s 2009 IRB Charter, which\noutlines specific planning and oversight roles for the IRB. Officials from DOT\xe2\x80\x99s\nOffice of the CIO (OCIO) explained that the Department placed the IRB process\n\n10\n   OMB, 25 Point Implementation Plan to Reform Federal Information Technology Management, Dec. 9, 2010.\n11\n   OMB Memorandum, \xe2\x80\x9cChief Information Officer Authorities,\xe2\x80\x9d Aug. 8, 2011.\n12\n   OMB guidance, A Year in Review: Outcomes and Lessons Learned from Implementing Agency-Led TechStat Reviews\nAcross the Federal Government, Dec. 8, 2011.\n\x0c                                                                                                                     6\n\n\nin \xe2\x80\x9chibernation\xe2\x80\x9d because the meetings were ineffective at overseeing DOT\xe2\x80\x99s\ninvestments. According to OCIO officials, IRB members frequently delegated\nmeeting attendance to lower ranking officials, so the IRB could not make\nmeaningful decisions needed to oversee DOT\xe2\x80\x99s IT investments. We briefed DOT\non our audit findings in September 2012, and the OCIO subsequently held an IRB\nmeeting on December 14, 2012. However, this IRB meeting did not include a\nreview of DOT\xe2\x80\x99s IT portfolio or troubled programs. Instead, the OCIO presented a\nproposed framework for DOT\xe2\x80\x99s IT governance and a draft, updated IRB Charter,\ndated October 23, 2012. The OCIO did not schedule the next IRB meeting or\nestablish action items to finalize the IT governance framework and IRB Charter.\n\nIn addition, while DOT\xe2\x80\x99s 2009 IRB Charter designated a subcommittee called the\nExecutive Committee (ExComm) to oversee the individual IRBs of DOT\nOperating Administrations, 13 it too stopped meeting. In response to our survey,\n9 of 11 CIOs\xe2\x80\x94who oversee their Operating Administration\xe2\x80\x99s IRBs\xe2\x80\x94stated that\nthe ExComm has not assessed their IRBs\xe2\x80\x99 performance. As such, the ExComm\nand OCIO lack full insight and are not well positioned to advise on investments\napproved by the Operating Administrations\xe2\x80\x99 IRBs. 14\n\nFinally, while DOT\xe2\x80\x99s Office of the Chief Financial Officer (OCFO) collaborates\nwith Operating Administrations when they submit their annual budgets, DOT does\nnot have a process to monitor and oversee Operating Administrations\xe2\x80\x99 programs\nafter they have been appropriated funding. 15 This is contrary to OMB\xe2\x80\x99s\nrequirement that agency CIOs not only have the authority to improve their\nagencies\xe2\x80\x99 IT program operating efficiencies but that they also take a lead\nmanagement advisory role, to include recommending termination of\nunderperforming programs, when necessary.\n\nStrategic departmentwide oversight is especially important in a decentralized\ndepartment like DOT, which has 12 Operating Administrations, each with unique\ninvestment portfolios. Without an active IRB and supporting boards, DOT does\nnot have a comprehensive management framework to provide executive oversight\nor integrated portfolio management of its $2.2 billion major IT investment\nportfolio. As a result, DOT is not well positioned to meet Federal requirements for\ninvestment oversight, which is intended to enforce accountability and maximize\nthe value of IT investments.\n\n\n13\n   DOT\xe2\x80\x99s 2009 IRB charter also requires the ExComm subcommittee to meet quarterly to ensure Operating\nAdministrations execute their responsibilities for planning, selecting, acquiring, securing, operating, and managing IT\ninvestments.\n14\n   DOT\xe2\x80\x99s draft, updated IRB charter, dated October 23, 2012, would eliminate the ExComm\xe2\x80\x99s role and establish an\nExecutive Secretariat to monitor Operating Administrations\xe2\x80\x99 IRB performance.\n15\n   DOT\xe2\x80\x99s December 14, 2012, proposed framework for IT governance provides a conceptual model illustrating at a\nhigh level the intended relationships among DOT\xe2\x80\x99s IRB, the Operating Administration\xe2\x80\x99s IRBs, and their budget offices.\n\x0c                                                                                                                7\n\n\nDOT Relied Solely on TechStat Reviews of Individual Programs in\nPlace of Strategic Oversight of the Department\xe2\x80\x99s IT Portfolio\nDuring our review, DOT relied solely on its TechStat accountability sessions for\nits IT management framework. However, TechStats are intended to review\nindividual troubled programs rather than support portfolio-wide investment\ndecisions. In 2010, OMB required all agencies to conduct TechStat accountability\nsessions, which are evidence-based reviews of troubled or underperforming IT\nprograms. While DOT began its TechStat accountability sessions in March 2011,\nit did not until recently hold IRB meetings, which are intended to provide strategic\nIT oversight for the entire Department. As a result, TechStat sessions had replaced\nrather than supplemented DOT\xe2\x80\x99s IRB reviews, contrary to OMB guidance. As\ntable 2 on the next page illustrates, TechStat reviews of individual programs serve\na different purpose than IRB oversight of the Department\xe2\x80\x99s entire IT portfolio.\nSince March 2011, DOT has only reviewed 9 of 44 (20 percent) major IT\nprograms using TechStat accountability sessions. Such minimal oversight weakens\nDOT\xe2\x80\x99s ability to effectively manage its entire IT investment portfolio. 16\n\n\n\n\n16\n  The nine TechStat accountability sessions were held from March 2011 through April 2012. According to DOT OCIO\nofficials, the OCIO cancelled two sessions scheduled in that timeframe because DOT did not want to review programs\nthat OMB had already reviewed.\n\x0c                                                                                                       8\n\n\nTable 2. Comparison of DOT\xe2\x80\x99s IRB Reviews and TechStat\nSessions\n                                                              a                                  b\n                      IRB Reviews (including ExComm)                       TechStat Sessions\n    Purpose           \xe2\x80\xa2 Provide strategic leadership               \xe2\x80\xa2 Reduce wasteful spending by turning\n                      \xe2\x80\xa2 Align IT investments with DOT\xe2\x80\x99s needs        around troubled or risky programs,\n                                                                     and terminating failed programs\n                      \xe2\x80\xa2 Establish budget goals as well as\n                                                                     sooner\n                        performance planning and reporting\n                                                                   \xe2\x80\xa2 Identify lessons learned to better\n                      \xe2\x80\xa2 Review programs to provide executive\n                                                                     manage Federal IT Investments\n                        management oversight of large-dollar,\n                        major, cross-agency, or troubled IT        \xe2\x80\xa2 Hold officials accountable for\n                        projects                                     program success\n                      \xe2\x80\xa2 Review Operating Administrations\xe2\x80\x99 IRB      \xe2\x80\xa2 Assign concrete actions to address\n                        performance and make specific project        weaknesses\n                        management recommendations\n\n    Approach          \xe2\x80\xa2 Semiannual IRB meetings                    \xe2\x80\xa2 Monthly meetings\n                      \xe2\x80\xa2 Quarterly ExComm meetings\n\n    Voting            \xe2\x80\xa2   Deputy Secretary                         \xe2\x80\xa2 DOT CIO and staff\n    Members/Attendees\n                      \xe2\x80\xa2   DOT CIO                                  \xe2\x80\xa2 Program office of the troubled\n                      \xe2\x80\xa2   DOT CFO                                    program\n                      \xe2\x80\xa2   Deputy General Counsel\n                      \xe2\x80\xa2   Assistant Secretary for Administration\n                      \xe2\x80\xa2   Under Secretary for Policy\n                      \xe2\x80\xa2   Administrator from each DOT Operating\n                          Administration\n\na\n  According to the OCIO\xe2\x80\x99s draft, updated IRB Charter (dated October 23, 2012, and pending approval),\nseveral changes are to be made to the IRB. For example, (1) the ExComm will be eliminated and replaced\nwith an Executive Secretariat, (2) IRB meetings will be held at least annually, and (3) the Senior\nProcurement Executive will become a voting member.\nb\n  DOT\xe2\x80\x99s proposed framework for IT governance, dated December 14, 2012, introduced the concept of an\nInvestment Working Group (IWG), which would report to the IRB on its analysis and research of IT\ninvestments. A key responsibility of the IWG would include reviews of high-risk or underperforming\ninvestments, a role similar to DOT\xe2\x80\x99s TechStat.\nSource: OIG analysis of DOT\xe2\x80\x99s December 4, 2009, IRB Charter; DOT\xe2\x80\x99s draft October 23, 2012,\nIRB Charter; and OMB\xe2\x80\x99s TechStat guidance.\n\nDOT Did Not Fully Implement OMB\xe2\x80\x99s TechStat Guidance Resulting in\nDiminished Oversight of Its Troubled Programs\nDuring our review, DOT held TechStat reviews as a substitute for a\ncomprehensive IT management framework. Even though it held TechStat reviews,\nit did not fully implement OMB\xe2\x80\x99s TechStat guidance. DOT followed some of\nOMB\xe2\x80\x99s guidance on TechStat accountability sessions, such as providing subject\nmatter expert reviews of investment documents and preparing decision\nmemoranda that assign action items to program offices. However, DOT did not\ncomply with OMB guidance to fully develop and institutionalize its TechStat\nprocess. Specifically, DOT did not (1) formalize its TechStat authority within its\n\x0c                                                                                                                    9\n\n\nIT management framework, (2) establish clear criteria to select and prioritize\ninvestments requiring TechStat reviews, (3) consistently hold Operating\nAdministrations accountable for completing assigned action items, or\n(4) implement an effective means to document and share lessons learned and best\npractices.\n\nDOT did not formalize TechStat authority within its IT management\nframework. DOT has not updated its 2009 IRB Charter to reflect OMB guidance,\nwhich states that an agency\xe2\x80\x99s IRB should be the primary governing body that\nenforces TechStat decisions. Without an updated charter, DOT\xe2\x80\x99s IRB did not have\nformal authority over the TechStat decision-making process. In addition, since no\nIRB meetings were held, senior management lacked the insight and ability to\noversee troubled programs, as OMB had intended for a functioning and\ncomprehensive IT governance framework. 17\n\nDOT does not have clear criteria to select and prioritize investments\nrequiring TechStat reviews. According to OMB guidance, DOT should have a\nmethodology and consistent metrics\xe2\x80\x94such as cost, schedule, and program\nsignificance\xe2\x80\x94to select investments for TechStat review. Because DOT does not\nhave documented procedures for selecting and prioritizing programs for review, it\nmay miss opportunities to turnaround underperforming programs. For example,\nDOT\xe2\x80\x99s TechStat has not yet reviewed three of seven programs that the DOT CIO\ncurrently rates as \xe2\x80\x9cat risk.\xe2\x80\x9d 18 These three programs represent over $81 million in\nfiscal year 2012 spending. 19\n\nDOT does not consistently hold Operating Administrations accountable for\ncompleting assigned TechStat action items. According to OMB guidance, action\nitems are a main feature of TechStat sessions and can help ensure the success of\nreviewed programs. We reviewed the meeting minutes for 8 TechStat sessions 20\xe2\x80\x94\nall that were available at the time of our audit\xe2\x80\x94and found that DOT did not track\n41 21 (56 percent) of 73 action items to completion, all of which are at least\n6 months overdue. For example, at a TechStat session for the National Highway\nTraffic Safety Administration\xe2\x80\x99s (NHTSA) Modernization and Consolidation\nprogram\xe2\x80\x94projected to spend $6.8 million through budget year 2013\xe2\x80\x94DOT\n\n17\n   The DOT OCIO\xe2\x80\x99s draft updated IRB charter, dated October 23, 2012, would, if adopted, provide the IRB with the\nauthority to enforce TechStat decisions.\n18\n   As of July 2012, DOT had seven programs rated as \xe2\x80\x9cmedium risk\xe2\x80\x9d and no programs rated as \xe2\x80\x9chigh risk.\xe2\x80\x9d Two of the\nthree programs not reviewed have been \xe2\x80\x9cat risk\xe2\x80\x9d or underperforming since September and November 2011, while the\nother has been \xe2\x80\x9cat risk\xe2\x80\x9d since January 2011.\n19\n   As reported on OMB\xe2\x80\x99s IT Dashboard.\n20\n   Although DOT held nine total TechStat sessions, the information for one of these sessions was unavailable at the\ntime of our review.\n21\n   The 41 action items include 37 listed in DOT\xe2\x80\x99s action item tracking tool and 4 that were assigned during a TechStat\nsession but not listed in the tracking tool. DOT did not have documentation explaining why these action items were not\nbeing tracked.\n\x0c                                                                                                                       10\n\n\nassigned seven action items to NHTSA program officials to improve cost\nconsolidation, governance, program initiation, and business needs analysis. 22 Yet\nDOT only monitored three of the seven action items to ensure NHTSA completed\nthem on time. This lack of accountability and follow up weakens the Department\xe2\x80\x99s\nmanagement of troubled and underperforming programs, and may impede or delay\ndecisions to redirect limited budget resources to other programs or agency\npriorities.\n\nDOT lacks an effective means to document and share lessons learned and best\npractices for its TechStat process. According to OMB, an intended goal of the\nTechStat process is to document and share lessons learned and best practices.\nDOT\xe2\x80\x99s OCIO stated that DOT officials currently share best practices verbally at\nmonthly CIO council meetings; however, they do not keep meeting minutes, so\nany best practices that may be discussed are not documented\xe2\x80\x94a practice contrary\nto OMB guidance. 23 Consequently, DOT is missing opportunities to leverage\nknowledge management, information-sharing best practices, and approaches from\nGovernment and industry to ensure that investments produce high-quality products\non time and within budget. 24\n\nDOT Has Initiated Actions To Reform Its Governance Structure But\nDoes Not Have a Comprehensive Implementation Plan\nDuring the course of our audit, DOT\xe2\x80\x99s OCIO initiated actions to reform its IT\ngovernance. These actions include proposing a new framework for DOT\xe2\x80\x99s IT\ngovernance; issuing a policy order pertaining to DOT\xe2\x80\x99s IT governance structure;\nand proposing a draft, updated IRB Charter. However, DOT does not have a\ncomprehensive plan to implement the new policy order and to finalize the\nproposed framework and the draft, updated IRB Charter.\n\nIn March 2012, the OCIO shared with us a draft high-level proposal for a new\ndepartmentwide governance structure for major IT investments. The OCIO told us\nthat the components of the proposed March 2012 structure would include a\nreinstatement of DOT\xe2\x80\x99s IRB as the highest level of reporting and a continuation of\nTechStat accountability sessions of troubled or underperforming programs.\n\n22\n    According to NHTSA, this program is intended to replace two of its core data collection, analysis, and reporting\nsystems.\n23\n   OMB Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d Dec. 21, 2004. The Circular requires that\nappropriate internal control should be integrated into each agency system used to direct its operations. It also requires\nthat agency management should have well-defined documentation processes that contain an audit trail, include\nverifiable results, and specify document retention periods so that someone not connected with the procedures can\nunderstand them.\n24\n   A knowledge-based approach to product development efforts enables developers to be reasonably certain, at critical\njunctures or \xe2\x80\x9cknowledge points\xe2\x80\x9d in the acquisition life cycle, that their projects are more likely to meet established cost,\nschedule, and performance baselines, and therefore provides them with information needed to make sound investment\ndecisions. See GAO report, NASA: Implementing a Knowledge-Based Acquisition Framework Could Lead to Better\nInvestment Decisions and Project Outcomes (GAO-06-218A) Dec. 21, 2005.\n\x0c                                                                                                                   11\n\n\nAccording to the OCIO, the goal of its new governance structure is to transform\nthe role of the OCIO to that of a trusted advisor and consultant on the\nDepartment\xe2\x80\x99s major IT projects.\n\nOn August 29, 2012, the OCIO issued Policy Order 1351.39, \xe2\x80\x9cDepartmental\nInformation Technology Governance Policy,\xe2\x80\x9d intended to serve as the overarching\nDOT policy pertaining to the governance structure for IT management investments\nand operations. The policy order delegates new oversight responsibilities to\nDOT\xe2\x80\x99s CIO, including (1) development and implementation of policies, guidance,\nstandards, and tools to support implementation of the IT governance policy; and\n(2) management of oversight processes, including accountability reviews of IT\ninvestments and evidence-based reviews of IT portfolios. The policy order also\ncalls for Operating Administrations to comply with the IT governance policy and\nfor increased collaboration among stakeholders. For example, it requires DOT\xe2\x80\x99s\nCFO and Senior Procurement Executive (SPE) 25 to integrate the IT governance\npolicy with their processes for making budget, financial, and acquisition\nmanagement decisions.\n\nHowever, Policy Order 1351.39 only provides a broad outline of DOT\xe2\x80\x99s IT\ngovernance structure and lacks details regarding day-to-day implementation and\npractices. For example, the policy order describes DOT\xe2\x80\x99s IT governance structure\nas \xe2\x80\x9cmultiple groups, processes, schedules, roles, and responsibilities\xe2\x80\x9d with no\nmention of details of the OCIO\xe2\x80\x99s proposed governance structure. Instead, the DOT\npolicy order acknowledges that the DOT OCIO needs to develop implementation\nguidance. 26 Further, the OCIO has not yet developed a comprehensive plan with\nmilestones to implement the policy order, and the policy order does not clearly\ndefine the roles of critical agency stakeholders in DOT\xe2\x80\x99s governance processes. To\nillustrate, the policy order does not specify the SPE\xe2\x80\x99s role in key investment\ncontrol and oversight bodies, such as the IRB or TechStat. OMB guidelines and\nGAO best practices state that failure to define roles and responsibilities can lead to\nmissed opportunities to improve acquisition outcomes. 27\n\nIn September 2012, we briefed DOT on our audit findings; in response, on\nDecember 14, 2012, DOT held its first IRB meeting since February 2011. At this\nmeeting, the Deputy Secretary emphasized his commitment to strengthening the\nIRB\xe2\x80\x99s role and oversight of DOT\xe2\x80\x99s IT investments. The agenda for the December\n14, 2012, IRB meeting consisted of the OCIO introducing the IRB members to (1)\na proposed framework for IT governance at DOT 28 and (2) a draft, updated IRB\n\n25\n   The SPE\xe2\x80\x99s responsibilities include ensuring that DOT acquisitions help accomplish the Department\xe2\x80\x99s mission.\n26\n   DOT Policy Order 1351.39, Section 39.10.1, Aug. 29, 2012.\n27\n    OMB Memorandum, \xe2\x80\x9cConducting Acquisition Assessments under OMB Circular A-123,\xe2\x80\x9d May 21, 2008;\nGAO, A Framework for Assessing the Acquisition Function at Federal Agencies (GAO-05-218G), Sept. 2005.\n28\n   DOT\xe2\x80\x99s proposed IT governance framework, dated December 14, 2012, presented in a conceptual Microsoft\nPowerPoint presentation, reflects an evolution of an earlier draft proposal that the OCIO shared with us in March 2012.\n\x0c                                                                                 12\n\n\nCharter, dated October 23, 2012. The OCIO\xe2\x80\x99s proposed IT governance framework\nincludes a conceptual model illustrating the intended roles of DOT\xe2\x80\x99s IRB, a new\nInvestment Working Group, the Operating Administration\xe2\x80\x99s IRBs, and the DOT\nand Operating Administrations\xe2\x80\x99 budget offices. For example,\n\n\xe2\x80\xa2 The DOT IRB is intended to provide strategic direction and planning for\n  departmentwide portfolio concerns and major investments, supply IT guidance\n  in support of DOT\xe2\x80\x99s budget and acquisition processes, and ensure\n  accountability reviews of IT investments are conducted.\n\n\xe2\x80\xa2 A new Investment Working Group (IWG), which would report to the IRB, is\n  intended to implement cross-cutting initiatives throughout DOT in support of\n  the IRB\xe2\x80\x99s priorities. For example, one of the IWG\xe2\x80\x99s key responsibilities would\n  be to review high-risk or underperforming investments\xe2\x80\x94a role similar to DOT\n  TechStat sessions.\n\n\xe2\x80\xa2 The Operating Administrations\xe2\x80\x99 IRBs are intended to provide investment\n  management\xe2\x80\x94including selecting, controlling, and evaluating their\n  investments.\n\n\xe2\x80\xa2 DOT\xe2\x80\x99s budget office and the Operating Administrations\xe2\x80\x99 budget offices would\n  play a role in this new IT governance framework by providing input to the\n  DOT IRB and the Operating Administrations\xe2\x80\x99 IRBs.\n\nAccording to the OCIO, this new governance structure would offer benefits\nincluding cost savings from enterprise solutions, the setting of clear standards and\nrepeatable processes for departmentwide initiatives, a focus on key priorities for\nmanaging DOT\xe2\x80\x99s IT portfolio, and the integration of IT governance with the\nbudget formulation process and acquisition strategy and planning. However, while\nthe OCIO\xe2\x80\x99s proposed structure acknowledged that DOT needs to be more\naccountable and efficient while implementing a sound governance process, the\nOCIO has not yet set a date to finalize the framework and has not implemented\noperating procedures to ensure that this framework is effectively institutionalized\nand consistently implemented departmentwide.\n\nThe OCIO\xe2\x80\x99s draft, updated IRB Charter presented at the December 14, 2012,\nmeeting addresses some concerns we shared with DOT during our September\n2012 briefing. For example, the draft, updated IRB charter (1) calls for the IRB to\nmeet at least annually, (2) establishes DOT\xe2\x80\x99s SPE as an IRB voting member, and\n(3) assigns the IRB authority to execute management oversight of IT investment\nperformance through accountability reviews. However, DOT has not finalized a\ndate to approve the draft, updated IRB charter, and the IRB has not yet convened\nto review DOT\xe2\x80\x99s entire IT portfolio.\n\x0c                                                                                13\n\n\nUntil DOT fully implements its new policy order, finalizes its draft IT governance\nframework and draft, updated IRB Charter, and integrates these three efforts, the\nDepartment\xe2\x80\x99s $2.2 billion IT investment portfolio\xe2\x80\x94including NextGen\nprograms\xe2\x80\x94is at risk of continued cost overruns and schedule slips due to\ninsufficient oversight.\n\nFAA AND DOT FACE CHALLENGES IN PROVIDING SUFFICIENT\nOVERSIGHT OF FAA\xe2\x80\x99S IT INVESTMENTS\nFAA\xe2\x80\x99s JRC has a framework for investment governance, yet the Agency does not\nalways follow this JRC process. As a result, FAA risks making investment\ndecisions with incomplete information, which could jeopardize the success of\ncritical FAA programs. Moreover, FAA has recently created a new ATO PMO to\noversee the execution of its IT programs and supplement the JRC, but it lacks\ndocumented policies and procedures to function effectively in this role. Finally,\nDOT\xe2\x80\x99s governance process provides limited oversight of FAA\xe2\x80\x99s major IT\ninvestments, which comprise the vast majority of the Department\xe2\x80\x99s investment\nportfolio.\n\nFAA Does Not Always Follow Its JRC Process\nFAA provides a structure for investment governance through its JRC, which\nincludes a required approval and oversight process for key investment decisions.\nHowever, the JRC does not always hold program offices accountable for following\nthis process, including (1) submitting critical investment information prior to\ninvestment decisions, (2) approving investment information prior to decisions,\n(3) completing action items on time, (4) meeting scheduled decision due dates, and\n(5) maintaining a complete investment decision repository. In addition, the JRC\xe2\x80\x99s\nofficial investment decision repository is incomplete.\nCritical investment documents are not always submitted prior to decisions.\nThe AMS and FAA guidance 29 require FAA program offices to provide the JRC\nwith specific acquisition planning and control documents prior to key investment\ndecisions. Without these documents\xe2\x80\x94which contain critical investment data such\nas program requirements, detailed plans, cost and schedule estimates, and business\ncases\xe2\x80\x94the JRC cannot ensure that it is fully informed on issues that may affect its\ninvestment decisions. However, the JRC made key investment decisions (valued at\n$23 million) for 2 of the 15 programs we reviewed without all of the required\ninvestment information\xe2\x80\x94including the Implementation Strategy and Planning\nDocument (ISPD). FAA describes the ISPD as the most critical, relevant, and\nmeaningful information for investment decision making, as it contains plans for\nthe investment\xe2\x80\x99s implementation and in-service management. In one case, the JRC\n\n29\n     FAA, Investment Decision Authority Process Guidance, Jul. 30, 2010.\n\x0c                                                                                                               14\n\n\napproved an $8 million baseline change for FAA\xe2\x80\x99s Instrument Flight Procedures\nAutomation program without the required Acquisition Program Baseline\ndocument. 30 In the other case, the JRC approved an initial investment decision for\nFAA\xe2\x80\x99s NextGen Facilities program and authorized $15 million to conduct final\ninvestment analysis without required documentation, including the ISPD and the\nFinal Investment Analysis Plan. 31\nCritical investment documents are not always approved prior to decisions.\nFAA guidance also requires that the investment information documents be\napproved and signed by FAA approving officials prior to investment decisions. 32\nHowever, 4 of the 15 programs we reviewed\xe2\x80\x94including the En Route Automation\nModernization program (ERAM) and Automatic Dependent Surveillance-\nBroadcast (ADS-B), which are both NextGen programs\xe2\x80\x94lacked required\napprovals for some investment decision documents. Specifically, these programs\nlacked approvals for documents such as the final business case, program baseline,\nand ISPD. However, the JRC made over $1 billion in investment decisions for\nthese programs without approvals in place. 33 Missing and/or late signatures may\nindicate that approving officials have unresolved concerns with the investment or\nthat they simply did not review the investment documents. An FAA official said\nthat the JRC and program offices discuss the risks associated with making\ninvestment decisions without approved investment information. However, FAA\ndoes not document these risk discussions and has not developed risk mitigation\nplans\xe2\x80\x94contrary to AMS risk management policies. Further, we identified an\ninstance in which FAA approving officials backdated approvals of an investment\ndecision document. This practice calls into question the reliability of other\ninvestment documents that appeared to have timely approvals.\n\nControls are not in place to ensure action item due dates are met. The JRC\nassigns action items to resolve outstanding issues from investment decisions, often\nrequiring program offices to finalize or obtain approval for investment documents.\nHowever, the JRC does not have adequate controls to ensure action item due dates\nare met. For example, the JRC did not hold the ERAM program office accountable\nfor meeting an action item deadline to resolve open concerns about its ISPD. FAA\nhad only given conditional approval for the ISPD because it had open concerns\nabout whether ERAM\xe2\x80\x99s installation and maintenance activities complied with\nnecessary standards. Rather than require the program office to resolve these\nconcerns before the decision meeting, the JRC went ahead and approved a\n$330 million cost baseline increase in June 2011. The JRC also required the\n\n30\n   The Acquisition Program Baseline defines cost, schedule, and performance baselines for the investment program.\n31\n   The Final Investment Analysis Plan includes detailed cost and benefits estimates, detailed plans, and final\nrequirements for the most promising alternative.\n32\n   FAA, Investment Decision Authority Process Guidance, Jul. 30, 2010.\n33\n   This includes documents that are either still completely missing signatures or were approved as much as 2 months\nafter the decision date.\n\x0c                                                                                 15\n\n\nERAM program office to resolve open concerns and submit an approved ISPD by\nthe end of July 2011. Although the ERAM program office missed the deadline by\n4 months, there is no evidence that the JRC followed up with ERAM program\nofficials, nor did it suspend or reconsider its rebaseline decision. The JRC\xe2\x80\x99s\npractice of conditionally approving investment decisions without resolving\nexisting technical program issues puts the schedule and cost for FAA programs at\nrisk. These risks are magnified in already troubled programs.\n\nScheduled investment decision meeting dates are not always met. The JRC\ndoes not hold program offices accountable for missing scheduled investment\ndecision meetings. For example, FAA\xe2\x80\x99s Aeronautical Information Management\nModernization (AIM-M) program office postponed a final investment decision\nmeeting three times over a 20 month period. The decision meeting concerned\nsegment 1 (valued at $23 million) of the AIM-M program, which is intended to\nimprove the capacity and efficiency of airspace usage while reducing safety\nincidents caused by out-of-date or confusing information. Although the JRC\nultimately canceled the AIM-M final investment decision meeting, it authorized\n$6.5 million in funding for the program based on the program office\xe2\x80\x99s financial\nand technical analysis. This practice of postponing or canceling key investment\ndecisions could also result in significant delays to interdependent programs. For\nexample, FAA\xe2\x80\x99s Next Generation Air/Ground Communications (NEXCOM)\nshares interdependencies with AIM-M and could be affected by delays in AIM-M\ndecisions.\n\nThe JRC\xe2\x80\x99s investment decision repository is incomplete. FAA has not\nidentified what type of investment decision documentation should be maintained\nby the JRC Executive Secretariat, and this office has only kept partial records of\ninvestment decision documents in its official repository. According to the AMS,\nthe JRC Executive Secretariat\xe2\x80\x99s office is to populate and maintain the repository to\nensure it contains investment decision documentation, records of decision meeting\nminutes, assigned action items, and investment decision guidance documents and\nprocesses. However, the AMS does not specify which specific decision\ndocuments, such as the ISPD, should be maintained in the repository.\nConsequently, we found that critical investment information was sometimes\ndispersed among the JRC repository, program offices, and other FAA offices.\nSpecifically, for the 15 FAA programs that had key investment decisions between\n2010 and 2011, the repository lacked 14 of 53 investment decision documents\xe2\x80\x94\nincluding investment analysis plans and final ISPDs. Secretariat officials stated\nthat they did not consistently maintain documents in the repository because they\nbelieved the documents were available elsewhere, such as a program office.\nHowever, one Secretariat official said that maintaining all investment documents\nin the repository would be a good business practice. In the absence of a properly\nmaintained investment repository, FAA is missing opportunities to leverage\n\x0c                                                                                                                     16\n\n\nknowledge management and information-sharing best practices and approaches\nfrom Government and industry to effectively manage its investments, including\nthe (1) consistent management of investment information, (2) tracking of program\nbaselines, (3) identification of major IT cost and management trends and program\nrisks, (4) application of knowledge-based acquisition principles, and (5) capturing\nof lessons learned. 34 Leading organizations in Government and industry have used\nsuch approaches to deliver high-quality products on time and within budget.\n\nFAA Is Currently Implementing a New ATO Program Management\nOffice To Enhance Program Oversight\nIn September 2011, Congress approved FAA\xe2\x80\x99s request to create a new ATO\nPMO 35 as part of the Agency\xe2\x80\x99s \xe2\x80\x9cFoundation for Success\xe2\x80\x9d initiative, which is\nfocused on putting in place an improved organizational structure with the\nflexibility needed to keep pace with the growth and advancement of aviation\nworldwide. The ATO PMO is responsible for overseeing 26 of the Agency\xe2\x80\x99s\n37 major IT programs. FAA estimated that it would spend $1.8 billion on these\n26 programs in fiscal year 2012. According to the Secretary of Transportation,\ncombining FAA\xe2\x80\x99s program managers under one organization will create a stronger\nprogram management community, provide greater transparency and\naccountability, and improve consistency and sharing of best practices. However,\nCongress noted that FAA\xe2\x80\x99s past efforts to streamline operations have met with\nlimited success in controlling operating costs and executing major acquisitions,\nand warned that the new reorganization will be \xe2\x80\x9chollow\xe2\x80\x9d unless FAA builds the\nnecessary expertise and strengthens program management for NextGen. 36\n\nWithin the ATO PMO, FAA established a Program Control Group, which is\nexpected to provide another layer of review to supplement the JRC\xe2\x80\x99s investment\napproval and oversight processes. 37 However, the group is only about 55 percent\nstaffed and lacks documented policies and procedures to function effectively in\nthis role. 38 For example, PMO officials stated that the Program Control Group is\nresponsible for assessing investment decision documents, yet the group lacks\nformal policies and procedures to evaluate whether decision documents will\n\n34\n    GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process\nMaturity (GAO-04-394G), Mar. 2004.\n35\n   FAA PMO officials told us that the PMO was \xe2\x80\x9cstood up\xe2\x80\x9d in May 2012.\n36\n   Departments of Transportation, and Housing and Urban Development, and Related Agencies Appropriations Bill,\n2013 (House of Representatives Report No. 112-541), Jun. 20, 2012.\n37\n   The Program Control Group\xe2\x80\x99s other functions include providing quality assurance, monitoring program metrics,\ntracking best practices, standardizing program reporting mechanisms, and serving as a direct interface to other lines of\nbusiness (such as FAA\xe2\x80\x99s acquisitions, CIO, and finance offices). The Program Control Group meets biweekly.\n38\n   GAO\xe2\x80\x99s March 2004 report, Information Technology Investment Management: A Framework for Assessing and\nImproving Process Maturity, states that in order for an organization to develop a sound IT investment process, it must\nattain successful IT investment control techniques at the project level. The absence of predictable, repeatable, and\nreliable investment control processes will result in ineffective evaluation processes and contradictory efforts at process\nimprovement.\n\x0c                                                                                                                    17\n\n\nprovide the JRC with reliable and complete information on which to make\ninvestment decisions. PMO officials stated that process standardization will occur\nover time but could not provide dates by which it expected to complete this\nstandardization. Without standardized operating processes, it may be challenging\nfor the PMO to effectively manage FAA\xe2\x80\x99s ATO programs and achieve its goals\nfor transparency, accountability, and consistency.\n\nDOT\xe2\x80\x99s IT Governance Process Provides Limited Oversight of FAA\nInvestments\nFAA accounts for a significant portion of DOT\xe2\x80\x99s investments and, in fiscal year\n2012, represented 94 percent ($2.07 billion) of DOT\xe2\x80\x99s total major IT investment\nportfolio. However, the DOT IRB provides limited oversight of these investments.\nFAA has agreed to take part in DOT\xe2\x80\x99s IRB investment planning and oversight\nprocesses\xe2\x80\x94through actions such as signing DOT\xe2\x80\x99s 2009 IRB charter and agreeing\nto \xe2\x80\x9cvoluntarily participate\xe2\x80\x9d in the IRB\xe2\x80\x99s ExComm reviews 39\xe2\x80\x94even though the\nAgency has been granted independent acquisition authority. 40 According to FAA,\nthis authority exempts the Agency from most Federal procurement laws, including\nthe Clinger-Cohen Act that mandated agency IRBs. Despite FAA\xe2\x80\x99s voluntary\nagreement to take part in DOT\xe2\x80\x99s IT investment management process, DOT\xe2\x80\x99s\nOCIO officials told us that FAA\xe2\x80\x99s independent acquisition authority could impede\nthe Department\xe2\x80\x99s ability to oversee FAA investments. 41 Therefore, DOT has only\nreviewed two FAA programs in the past 2 years, even though FAA\xe2\x80\x99s investments\nmake up the largest portion of DOT\xe2\x80\x99s IT investment portfolio. DOT\xe2\x80\x99s IRB\nreviewed FAA\xe2\x80\x99s ERAM program in February 2011, and DOT performed a\nTechStat review of FAA\xe2\x80\x99s NAS Voice System, a key enabling program for\nNextGen, in April 2012.\n\nImproved oversight is especially important for FAA\xe2\x80\x99s NextGen transformational\nprograms, given their mission criticality and significant cost. FAA plans to spend\nmore than $2 billion on NextGen over the next 4 years; yet, as we reported in\nApril 2012, FAA has not established reliable and comprehensive baselines for its\nsix NextGen transformational programs and has made limited progress\nimplementing them due to a lack of finalized requirements. 42\n\n\n\n39\n   DOT Deputy Secretary Memorandum, \xe2\x80\x9cOA Investment Review Board (IRB) Requirements and Interaction with the\nExecutive Committee (ExComm) of the DOT IRB,\xe2\x80\x9d Nov. 4, 2008.\n40\n   49 U.S.C. \xc2\xa7 106(f) states that the FAA Administrator, rather than the Secretary of Transportation, has final authority\nover FAA Acquisitions; 49 U.S.C. \xc2\xa7 40110(d) empowers the FAA Administrator to establish the AMS to address the\nunique needs of FAA without requiring compliance with most Federal acquisition laws or regulations.\n41\n   The FAA administrator has the final authority with respect to FAA acquisitions using the Agency\xe2\x80\x99s independent\nprocurement authority once the final investment is approved by the JRC.\n42\n   Status of Transformational Programs and Risks to Achieving NextGen Goals (OIG Report No. AV-2012-094), Apr.\n23, 2012.\n\x0c                                                                                 18\n\n\nCONCLUSION\nEffective investment oversight and decision making are critical to the\nDepartment\xe2\x80\x99s IT modernization efforts\xe2\x80\x94especially FAA\xe2\x80\x99s NextGen programs.\nHowever, governance structures, related plans, and procedures for\nimplementation, as well as oversight processes are incomplete. Until DOT and\nFAA address these shortfalls, their ability to effectively manage major acquisitions\nand make well-informed investment management decisions remains at risk, as\ndoes the Department\xe2\x80\x99s ability to reap the benefits that accompany sound IT\ninvestment management and oversight strategies.\n\nRECOMMENDATIONS\nWe recommend that the DOT Deputy Secretary require the OCIO to:\n\n1. Develop a comprehensive implementation plan for its proposed IT governance\n   framework, which includes all DOT Operating Administrations\xe2\x80\x99 IT\n   investments and clearly assigns organizational responsibilities, accountability\n   and authority, milestones to complete activities, and written policies and\n   procedures. This implementation plan should integrate and coordinate Policy\n   Order 1351.39, \xe2\x80\x9cDepartmental Information Technology Governance Policy\xe2\x80\x9d;\n   DOT\xe2\x80\x99s draft, updated IRB Charter; and any other documents integral to the\n   framework.\n\n2. Finalize DOT\xe2\x80\x99s draft, updated IRB charter to clarify organizational\n   responsibilities, define IRB and TechStat roles and responsibilities, and\n   establish the Senior Procurement Executive as a voting member.\n\n3. Establish written policies and procedures for TechStat accountability sessions,\n   or similar review sessions for troubled and underperforming IT investments.\n   These policies and procedures should include criteria for selecting programs to\n   review, accountability controls to ensure actions items are fully and timely\n   implemented, and a method to share and document lessons learned across the\n   Department.\nWe recommend that FAA\xe2\x80\x99s Federal Acquisition Executive:\n\n4. Strengthen internal controls to ensure that required investment decision\n   documents are reviewed and approved prior to JRC decision meetings as\n   required by the Acquisition Management System.\n\n5. Develop procedures to (a) document the JRC\xe2\x80\x99s discussions with program\n   offices when JRC decisions are made without required investment documents,\n   (b) identify the risks of moving forward without the documents, and (c) ensure\n\x0c                                                                               19\n\n\n   that these documented discussions are maintained in the JRC\xe2\x80\x99s information\n   repository.\n\n6. Establish procedures to ensure that the JRC Executive Secretariat effectively\n   maintains the JRC\xe2\x80\x99s information repository, including all documents that\n   support key investment decisions.\n\n7. Update the Acquisition Management System to specify the investment\n   documents that are required to be included in JRC\xe2\x80\x99s information repository and\n   the location of those that should be stored elsewhere.\n\nWe recommend that FAA\xe2\x80\x99s Vice President of the ATO PMO:\n\n8. Fully staff the ATO Program Control Group, and develop and implement\n   standardized operating policies and procedures for use by the group.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\nWe provided OST and FAA with our draft report on January 22, 2013, and\nreceived its response on March 12, 2013, which can be found in its entirety in the\nappendix of this report. OST and FAA concurred with all recommendations and\nstated that they have already implemented corrective actions for recommendations\n3 and 6, as of March 12, 2013. We consider these recommendations resolved but\nopen pending our verification that these reported corrective actions are complete.\nOST and FAA have also provided sufficient planned actions with reasonable\ntarget dates for recommendations 1, 2, 4, 5, 7, and 8. Accordingly, we consider\nthese recommendations resolved but open pending completion of the planned\nactions.\n\nACTIONS REQUIRED\nWe consider recommendations 1, 2, 4, 5, 7, and 8 resolved but open pending\ncompletion of the planned actions. We consider recommendations 3 and 6\nresolved but open pending our verification of the completed actions cited by OST\nand FAA. For recommendations 3 and 6, we request that OST and FAA provide\ninformation that clearly indicates what actions have been taken. Specifically, for\nrecommendation 3, we request that OST provide us the DOT OCIO\xe2\x80\x99s completed\nstandard operating procedure for the TechStat process and the date of its\nimplementation. For recommendation 6, we request that FAA provide us its\nprocedures to ensure that the JRC Executive Secretariat effectively maintains the\nJRC\xe2\x80\x99s information repository and the date of their implementation. In accordance\n\x0c                                                                                20\n\n\nwith DOT Order 8000.1C, we request that OST and FAA provide this information\nwithin 30 days.\n\nWe appreciate the courtesies and cooperation of OST and FAA representatives\nduring this audit. If you have any questions concerning this report, please call me\nat (202) 366\xe2\x80\x935225; Tony Wysocki, Program Director, at (202) 493\xe2\x80\x930223; or Dana\nShort, Project Manager at (202) 366\xe2\x80\x932089.\n\n                                        #\n\ncc:   DOT Audit Liaison (M\xe2\x80\x931)\n      FAA Audit Liaison (AAE\xe2\x80\x93100)\n\x0c                                                                               21\n\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\nWe conducted this audit between September 2011 and January 2013 in accordance\nwith generally accepted Government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\nTo assess whether the Department of Transportation\xe2\x80\x99s (DOT) investment\ngovernance practices meet Federal and statutory investment oversight\nrequirements and best practices, we reviewed all of the Office of the Secretary\xe2\x80\x99s\n(OST) TechStat accountability sessions held from March 2011 through April 2012\nto determine the extent to which OST follows the Office of Management and\nBudget\xe2\x80\x99s (OMB) TechStat model. In addition, we interviewed officials from\nDOT\xe2\x80\x99s Office of the Chief Information Officer (OCIO) and Office of the Chief\nFinancial Officer (OCFO) and the Senior Procurement Executive (SPE). We also\nsurveyed the 12 Operating Administrations\xe2\x80\x99 CIOs to collect information on OST\xe2\x80\x99s\nacquisition oversight and decision processes; 11 CIOs responded.\n\nTo assess whether the Federal Aviation Administration (FAA) and DOT provide\nsufficient oversight of FAA\xe2\x80\x99s major information technology investments, we\nreviewed 15 (100 percent) of the key investment decisions, with a total value of\nover $2.6 billion, that were made by FAA\xe2\x80\x99s Joint Resources Council (JRC) during\ncalendar year 2010 through November 2011. We reviewed these decisions to\ndetermine if required documentation was received, approved, and signed at the\ntime of the decision date. We also interviewed FAA\xe2\x80\x99s JRC Executive Secretariat,\nJRC members, FAA\xe2\x80\x99s Federal Acquisition Executive, an OCFO official, the Air\nTraffic Organization\xe2\x80\x99s Program Management Office (ATO PMO) officials, and\nFAA program managers.\n\nIn addition, we assessed FAA\xe2\x80\x99s and OST\xe2\x80\x99s investment approval and oversight,\nprocurement practices, and compliance against criteria and best practices such as:\n\n\xe2\x80\xa2 FAA:\n  - Acquisition Management System (AMS), including 1.2 Key Elements of\n    Acquisition Management; 2.0 Lifecycle Acquisition Management Policy;\n    4.15 Post Implementation Review and Operational Analysis, Appendix A:\n    Roles and Responsibilities, and Appendix B: Acquisition Planning and\n    Control Documents.\n  - FAA\xe2\x80\x99s Capital Investment Plan for FY 2012-2016 and FY2013-2017.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                             22\n\n\n\n\xe2\x80\xa2 OMB:\n  - OMB Circulars: A-11, Part 7: \xe2\x80\x9cPlanning, Budgeting, Acquisition, and\n    Management of Capital Assets,\xe2\x80\x9d August 2011; A-123, \xe2\x80\x9cManagement\xe2\x80\x99s\n    Responsibility for Internal Control,\xe2\x80\x9d Dec. 21, 2004; and A-130,\n    \xe2\x80\x9cManagement of Federal Information Resources;\xe2\x80\x9d November 28, 2000.\n  - OMB Capital Programming Guide V3.0 Supplement to OMB Circular A-\n    11, Part 7: \xe2\x80\x9cPlanning, Budgeting, Acquisition, and Management of Capital\n    Assets,\xe2\x80\x9d August 2011.\n  - OMB Memorandum, \xe2\x80\x9cConducting Acquisition Assessments under OMB\n    Circular A-123,\xe2\x80\x9d May 21, 2008.\n  - OMB Memorandum, \xe2\x80\x9cChief Information Officer Authorities,\xe2\x80\x9d August 8,\n    2011.\n  - OMB, 25 Point Implementation Plan to Reform Federal Information\n    Technology Management, December 2010.\n\n\xe2\x80\xa2 Government Accountability Office (GAO), Information Technology\n  Investment Management: A Framework for Assessing and Improving Process\n  Maturity (GAO-04-394G), March 2004.\n\n\xe2\x80\xa2 Clinger-Cohen Act of 1996          (formerly   the   Information   Technology\n  Management Reform Act).\n\n\xe2\x80\xa2 National Aeronautics and Space Administration (NASA):\n  - NASA Policy Directive 1440.6H, \xe2\x80\x9cNASA Records Management,\xe2\x80\x9d March\n     2008.\n  - NASA Procedural Requirements 1441.1D, \xe2\x80\x9cNASA Record Retention\n     Schedules,\xe2\x80\x9d June 2009; 2800.1B, \xe2\x80\x9cManaging Information Technology,\xe2\x80\x9d\n     March 2009; 7120.6, \xe2\x80\x9cLessons Learned Process,\xe2\x80\x9d January 2010; and\n     7120.7, \xe2\x80\x9cNASA Information Technology and Institutional Infrastructure\n     Program and Project Management Requirements,\xe2\x80\x9d December 2011.\n\n\xe2\x80\xa2 Department of Defense (DoD):\n  - DoD Directive 5000.02, \xe2\x80\x9cOperation of the Defense Acquisition System,\xe2\x80\x9d\n    December 2008.\n  - DoD IT Defense Business Systems Investment Review Process Guidance,\n    January 2009.\n  - DoD Report to Congress, \xe2\x80\x9cDoD Investment Review Board and Investment\n    Management Process for Defense Business Systems,\xe2\x80\x9d March 2012.\n\nFinally, to gain an understanding of IT investment best practices, we spoke with\nofficials at GAO and OFPP.\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                           23\n\n\n\n\nEXHIBIT B. PRIOR OIG AUDITS RELATED TO FAA PROGRAMS\n\nThese OIG reports and testimonies are available on our Web site at\nwww.oig.dot.gov.\n\nStatus of Transformational Programs and Risks to Achieving NextGen Goals\n   (OIG Report No. AV-2012-094), Apr. 23, 2012.\n\nDOT Does Not Have an Effective Enterprise Architecture for the Management of\n  Information Technology Changes (OIG Report No. FI-2012-086),\n  Apr. 17, 2011.\n\nProgress and Challenges in Developing and Transitioning to the Next Generation\n   Air Transportation System (OIG Congressional Testimony No. CC-2011-036),\n   Oct. 5, 2011.\n\nActions Needed to Meet FAA\xe2\x80\x99s Long-Term Goals for                     NextGen\n   (OIG Congressional Testimony No. CC-2011-016), Feb. 16, 2011.\n\nStatus of FAA\xe2\x80\x99s Major Acquisitions: Cost Growth and Schedule Delays Continue\n   to Stall Air Traffic Modernization (OIG Report No. AV-2005-061),\n   May 26, 2005.\n\n\n\n\nExhibit B. Pri or OIG Audits Related to F AA Programs\n\x0c                                                           24\n\n\n\nEXHIBIT C. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                    Title\n\nAnthony Wysocki                         Program Director\n\nDana Short                              Project Manager\n\nAngela Hailes                           Analyst\n\nDavid Lahey                             Auditor\n\nKathryn Novicky                         Analyst\n\nArnett Sanders                          Project Manager\n\nAmy Berks                               Senior Counsel\n\nTanner Horton-Jones                     Legal Intern\n\nChristina Lee                           Writer-Editor\n\n\n\n\nExhibit C. Major Contributors to This Report\n\x0c                                                                                         25\n\n\nAPPENDIX. AGENCY COMMENTS\n                    THE DEPUTY SECRETARY OF TRANSPORTATION\n                                  WASHINGTON, D.C. 20590\n\n                                              March 12, 2013\n\nMEMORANDUM TO:                Calvin L. Scovel III\n                              Inspector General\n\nFROM:                         John D. Porcari\n                              Deputy Secretary\n\nSUBJECT:                      Management Response to Office of Inspector General Draft\n                              Report on the Department\xe2\x80\x99s Information Technology\n                              Investment Governance Process\n\n\nInformation Technology Investments Are Thoroughly Scrutinized\n\nThe Department has provided thorough oversight of information technology (IT) investments\nin order to achieve the best possible outcomes using available tools and current processes.\nThis has included consideration of systems from various perspectives, including technical,\nbudgetary, and procurement. Oversight processes have been applied at the Operating\nAdministration (OA) level and in the Office of the Secretary. These processes have been\neffective at identifying problem systems as well as identifying and implementing the\nmeasures necessary to get these systems back on track. While effective, we recognize that\nthe Department would benefit from a more comprehensive approach that fully achieves the\nsynergies available by refreshing the Investment Review Board (IRB) process to ensure the\nnew governance process provides meaningful and effective oversight.\n\nMore Comprehensive Governance Structure for Major IT Investments\n\nSubstantive changes are underway to enhance the governance processes utilized by the\nDepartment. The Investment Review Board (IRB) is currently revising its charter to place a\nclearer focus on strategic leadership for all departmental IT investments. The IRB is\nplanning to reconvene as the Department refines its IT governance and portfolio management\npolicies and practices to improve the effectiveness of IT investment management while\npromoting efficient use of IT resources. The Department is working to ensure that its\ngovernance process effectively aligns the technical perspective of the CIO with the resource\navailability and efficiency perspective from the Chief Financial Officer and sound\ncontracting practices through the Senior Procurement Executive. At the same time, DOT\nneeds to accommodate sound IRB principles and practices in a manner that is consistent with\nits unique statutory requirements and maintaining effective interactions with the Federal\nAviation Administration (FAA).\n\n\n\n\nAppendix. Agency Comments\n\x0c                                                                                              26\n\n\nCentral to enabling this strategic leadership, the departmental governance structure seeks to\ntake a portfolio-based approach, tightly integrating the areas of Enterprise Architecture (EA)\nand Capital Planning & Investment Control (CPIC). EA provides authoritative data, used to\nconduct analysis that frames strategic opportunities for IT investments. CPIC is the manner\nby which we select our strategic IT investments, monitor their progress and ensure they\nachieve the intended business outcomes. This renewed focus is intended to provide not only\ncompliance with the issues identified in the OIG draft report, but to give a clear picture of the\nDepartments IT portfolio and how those investments are being developed and managed\nthroughout their lifecycle.\n\nOver the past year, the Department, including the FAA, has made significant progress in\nfurther improving IT capital investment processes and oversight of these investments. For\nexample, the Acting Chief Information Officer, Senior Procurement Executive and the Chief\nFinancial Officer are working closely on strategic sourcing and investments supporting the\nplanning, acquisition, and management of information technology for the entire Department.\nIn addition, in order to assure even greater transparency over FAA investments, the FAA has\ninvited the Department\xe2\x80\x99s Office of the Chief Information Officer (OCIO) as well as a\nmember of the Office of the Chief Financial Officer to attend the FAA Joint Resources\nCouncil (JRC) meetings.\n\nRECOMMENDATIONS AND RESPONSE\n\nOIG offered the following recommendations to OST:\n\nRecommendation 1: Develop a comprehensive implementation plan for its proposed IT\ngovernance framework, which includes all DOT Operating Administrations\xe2\x80\x99 IT investments\nand clearly assigns organizational responsibilities, accountability and authority, milestones to\ncomplete activities, and written policies and procedures. This implementation plan should\nintegrate and coordinate Policy Order 1351.39, \xe2\x80\x9cDepartmental Information Technology\nGovernance Policy;\xe2\x80\x9d DOT\xe2\x80\x99s draft, updated IRB Charter; and any other documents integral to\nthe framework.\n\nResponse: Concur. The DOT OCIO is currently completing a comprehensive\nimplementation plan for the new governance processes. We intend to complete this action by\nJune 28, 2013.\n\nRecommendation 2: Finalize DOT\xe2\x80\x99s draft, updated IRB charter to clarify organizational\nresponsibilities, define IRB and TechStat roles and responsibilities, and establish the Senior\nProcurement Executive as a voting member.\n\nResponse: Concur. The DOT OCIO has sent a revised IRB Charter to all OA\xe2\x80\x99s, adjudicated\nand updated with appropriate comments, and will have a final signed version for use by the\nDOT IRB. We intend to complete this action by June 28, 2013.\n\nRecommendation 3: Establish written policies and procedures for TechStat accountability\nsessions, or similar review sessions for troubled and underperforming IT investments. These\npolicies and procedures should include criteria for selecting programs to review, accountability\n\n\n\n\nAppendix. Agency Comments\n\x0c                                                                                            27\n\n\n controls to ensure actions items are fully and timely implemented, and a method to share and\ndocument lessons learned across the Department.\n\nResponse: Concur. The DOT OCIO has completed a standard operating procedure (SOP)\nfor the TechStat process, tailored to the needs of the Department, and will provide a copy to\nthe OIG with our final response. This recommendation has been completed in full.\n\nOIG offered the following recommendations to FAA:\n\nRecommendation 4: Strengthen internal controls to ensure that required investment\ndecision documents are reviewed and approved prior to JRC decision meetings as required by\nthe Acquisition Management System.\n\nResponse: Concur. The FAA JRC Executive Secretariat will ensure required investment\ndecision documents are reviewed and approved prior to JRC decision meetings by using the\nJRC Readiness System to track open checklist items that must be closed before the\ninvestment is placed on the JRC meeting agenda. The internal process calls for required\ndocuments to be provided to the JRC Secretariat one week prior to the investment decision\nmeeting. The Secretariat has established a mailbox which is used as a drop box where the\ndocuments (with all the required signatures) are uploaded, extracted and placed in the official\nrepository. This change in our internal controls was put into place in May of 2012. In the\nevent an exception is granted, for example when an approving official requests a JRC\ndiscussion prior to final concurrence for good cause and there is no objection from the\norganization that has not yet signed, an action item will be formally assigned and tracked to\nclosure using the JRC tracking system. Open action items are reviewed at each Acquisition\nQuarterly Program Review meeting by the JRC, which gives the members an opportunity to\ntake the appropriate action to ensure action items are completed. These enhancements to our\ninternal controls are being documented in the JRC Executive Secretariat\xe2\x80\x99s standard operating\nprocedures. This recommendation is intended to be completed by April 30, 2013.\n\nRecommendation 5: Develop procedures to (a) document the JRC\xe2\x80\x99s discussions with\nprogram offices when JRC decisions are made without required investment documents, (b)\nidentify the risks of moving forward without the documents, and (c) ensure that these\ndocumented discussions are maintained in the JRC\xe2\x80\x99s information repository.\n\nResponse: Concur. The FAA JRC investment decision briefing templates will be revised to\nreflect that any investment program requesting approval from the JRC to be allowed to\nproceed to an investment decision without providing the required documentation prior to the\ndecision meeting must identify the reason for the delay in providing the documents, the risks\nif allowed to move forward without them, and the planned date that the documents will be\nprovided to the JRC Executive Secretariat. The Record of Decision (ROD) of the meeting\nwill document the discussion held by the JRC, the assigned action item, the action item due\ndate and organization responsible for completing the action. The briefing provided to the JRC\nalong with the final approved ROD will be maintained in the JRC documentation repository.\nThe briefing templates will be revised and posted to the JRC Executive Secretariat web site\nfor use by investment programs by April 30, 2013.\n\n\n\n\nAppendix. Agency Comments\n\x0c                                                                                           28\n\n\nRecommendation 6: Establish procedures to ensure that the JRC Executive Secretariat\neffectively maintains the JRC\xe2\x80\x99s information repository, including all documents that support\nkey investment decisions.\n\nResponse: Concur. The aforementioned procedures that have been developed and executed\nrelated to the JRC Executive Secretariat internal controls will be used to ensure that the FAA\nJRC documentation repository both physical and virtual are effectively maintained. All\ndocumentation identified in the AMS as exit criteria for each key decision point is being\nobtained prior to the investment decision meeting or by the assigned due date established by\nthe JRC and placed in the physical repository and uploaded in the virtual repository. This\nrecommendation is considered complete.\n\nRecommendation 7: Update the Acquisition Management System to specify the investment\ndocuments that are required to be included in JRC\xe2\x80\x99s information repository and the location\nof those that should be stored elsewhere.\n\nResponse: Concur. FAA will update the Acquisition Management System by April 30,\n2013 to specify the AMS-required decision documents to be stored in the JRC\xe2\x80\x99s information\nrepository, and the location of other related documents to be stored elsewhere.\n\nRecommendation 8: Fully staff the ATO Program Control Group, and develop and\nimplement standardized operating policies and procedures for use by the group.\n\nResponse: Concur. The FAA Air Traffic Organization\xe2\x80\x99s Program Management\nOrganization (PMO) is adding staff to the Program Control Group and intends to have it fully\nstaffed by September 30th, 2013. The PMO is currently developing and implementing several\nStandard Operating Procedures (SOPs) for the entire organization, including Program\nControl. For clarification, the PMO Program Control Group is not intended to be responsible\nfor assessing investment decision documents in order to evaluate whether the documents will\nprovide the JRC with reliable and complete information. Multiple organizations across the\nAgency are responsible for assessing decision documents, including the Office of Financial\nManagement, NAS Systems Engineering Services, and ATO\xe2\x80\x99s Technical Operations Service\nUnit. The Program Control Group, once fully staffed, will perform assessments of PMO\nprogram planning documentation, to ensure consistency and accountability for the PMO\nleadership. The PMO plans to develop the SOP for these assessments by June 30th, 2013.\nAdditional PMO Program Control SOPs are planned developed and implemented prior to\nJune 30th, including the procedures for internal Program Reviews, PMO Business Planning,\nand various document control processes.\n\n\n\n\nAppendix. Agency Comments\n\x0c'